Skip to content

Commit

Permalink
feat: Add support for FIPS 140-3 compliance check
Browse files Browse the repository at this point in the history 
Signed-off-by: Anurag Rajawat <[email protected]>
  • Loading branch information
@anurag-rajawat
anurag-rajawat committed May 20, 2024
1 parent 667b189 commit a9940b6
Show file tree
Hide file tree
Showing 5 changed files with 55 additions and 11 deletions.
2 changes: 1 addition & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM ubuntu:latest
FROM ubuntu:22.04

RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openssl ca-certificates curl netcat jq
RUN curl -LO https://dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubectl --output-dir /usr/local/bin/ && chmod +x /usr/local/bin/kubectl
Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
build:
docker buildx build -t kubearmor/k8tls:latest .
docker build -t kubearmor/k8tls:latest .

push:
docker push kubearmor/k8tls:latest
1 change: 1 addition & 0 deletions config/addr.list
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,4 @@ dh480.badssl.com:443 BadSSL
isunknownaddress.com:12345 LocalTest
localhost:9090 webserver
localhost:22 localssh
apigateway-fips.us-east-1.amazonaws.com:443 AmazonAPIGateway
49 changes: 45 additions & 4 deletions src/findings_tls
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,52 @@
#!/bin/bash

contains() {
search_value="$1"
shift # Remove the first argument (search value) from positional parameters
array=("$@") # Remaining arguments become the array

for element in "${array[@]}"; do
if [[ "$element" == "$search_value" ]]; then
return 0
fi
done

return 1
}

is_fips_compliant() {
TLS_10_11_FIPS_CIPHERS=("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA")

TLS_12_FIPS_CIPHERS=("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA")

TLS_13_FIPS_CIPHERS=("TLS_AES_256_GCM_SHA384" "TLS_AES_128_GCM_SHA256" "TLS_AES_128_CCM_SHA256" "TLS_AES_128_CCM_8_SHA256")

case "$TLS_Protocol_version" in
"TLSv1.3")
if contains "$TLS_Ciphersuite" "${TLS_13_FIPS_CIPHERS[@]}"; then
FIPS_140_3_Compliant="Yes"
fi
;;
"TLSv1.2")
if contains "$TLS_Ciphersuite" "${TLS_12_FIPS_CIPHERS[@]}"; then
FIPS_140_3_Compliant="Yes"
fi
;;
"TLSv1.1"|"TLSv1.0")
if contains "$TLS_Ciphersuite" "${TLS_10_11_FIPS_CIPHERS[@]}"; then
FIPS_140_3_Compliant="Yes"
fi
;;
esac
}

opensslscan()
{
tmp=/tmp/tls.out
rm -f $tmp 2>/dev/null
timeout 2s openssl s_client -CApath /etc/ssl/certs/ -connect "$SVC_Address" -brief < /dev/null 2>$tmp
# echo "ret=$ret"
# cat $tmp
conn_estd=0
FIPS_140_3_Compliant="No"
while read line; do
[[ "$line" == "CONNECTION ESTABLISHED" ]] && conn_estd=1
[[ $conn_estd -ne 1 ]] && continue
Expand All @@ -18,14 +57,15 @@ opensslscan()
printf -v "TLS_$key" '%s' "$val"
TLS_Status="TLS"
done < $tmp
is_fips_compliant
[[ "$TLS_Verification_error" != "" ]] && TLS_Verification="$TLS_Verification_error"
}

tls_csvreport()
{
[[ "$csvout" == "" ]] && return
cat << EOF >> $csvout
"$SVC_Name","$SVC_Address","$TLS_Status","$TLS_Protocol_version","$TLS_Ciphersuite","$TLS_Hash_used","$TLS_Signature_type","$TLS_Verification"
"$SVC_Name","$SVC_Address","$TLS_Status","$TLS_Protocol_version","$TLS_Ciphersuite","$TLS_Hash_used","$TLS_Signature_type","$TLS_Verification","$FIPS_140_3_Compliant"
EOF
}

Expand Down Expand Up @@ -56,7 +96,8 @@ k8tls_tls_00chktls()
"severity": "critical",
"remediationEstEffort": "medium",
"solution": "enable TLS or transport security on the port.",
"status": "$status"
"status": "$status",
"fips_140_3_compliant": "$FIPS_140_3_Compliant"
}
EOF
}
Expand Down
12 changes: 7 additions & 5 deletions src/tlsscan
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ csvheader()
{
[[ "$csvout" == "" ]] && return
if [ ! -f "$csvout" ]; then
echo "Name,Address,Status,Version,Ciphersuite,Hash,Signature,Verification" > $csvout
echo "Name,Address,Status,Version,Ciphersuite,Hash,Signature,Verification,FIPS_140_3_Compliant" > $csvout
fi
}

Expand Down Expand Up @@ -123,17 +123,19 @@ scansvc()

getsummary()
{
status_arr=(
status_arr=(
"certificate has expired"
"self-signed certificate"
"insecure port"
"connection failure"
"connection failure",
"FIPS 140-3 compliant"
)
regex_arr=(
regex_arr=(
"certificate has expired"
"self-signed certificate"
"PLAIN_TEXT"
"CONNFAIL"
"CONNFAIL",
"Yes"
)
echo "Status,Count" > $summcsv
for((i=0;;i++)); do
Expand Down

0 comments on commit a9940b6

Please sign in to comment.